Passwords are tightly interwoven with the digital fabric of our current society. Unfortunately, passwords that provide better security generally tend to be more complex, both in length and composition. Complex passwords are problematic both cognitively and motorically, leading to both memory and motor errors during recall and entry. It is important that we better understand and disentangle the two error sources, as password entry errors can have significant negative consequences, such as being locked out of a critical information system. We present a computational cognitive model of password recall and typing, with memory and motor errors each contributing to password entry error. With this synthesis we can study human-computer interaction issues involving the usability of computer access control systems, specifically the password as an authentication mechanism. Ultimately we hope to make science-based recommendations for password policies that promote the use of passwords that are more usable.
Get full access to this article
View all access options for this article.
References
1.
AndersonJ. R.BothellD.ByrneM. D.DouglassS.LebiereC.QinY. (2004). An integrated theory of the mind. Psychological Review, 111(4), 1036-60. doi: 10.1037/0033-295X.111.4.1036
2.
AndersonJ. R. (2007). How can the human mind exist in the physical universe?New York, NY: Oxford University Press. Retrieved from Google Scholar.
3.
BaddeleyA. D.HitchG. (1974). Working memory. In BowerG. (ed.) Recent Advances in Learning and Motivation, vol. 8, pp. 47–90. Academic Press, New York.
4.
BothellD. (2014). ACT-R 6.0 reference manual. ACT-R Research Group. Retrieved from act-r.psy.cmu.edu
5.
BotvinickM.PlautD. C. (2004). Doing without schema hierarchies: A recurrent connectionist approach to normal and impaired routine sequential action. Psychol Rev, 111(2), 395-429. doi:10.1037/0033-295X.111.2.395
6.
CastellucciS. J.MacKenzieI. S. (2011). Gathering text entry metrics on android devices. In CHI 2011 Extended Abstracts on Human Factors in Computing Systems, pp. 1507–1512.
7.
CooverJ. E. (1923). A method of teaching typewriting based upon a psychological analysis of expert typing. National Education Association61, 561–567.
8.
ChiassonS.ForgetA.StobertE.Van OorschotP.BiddleR. (2009). Multiple password interference in text passwords and click-based graphical passwords. In Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 500–511.
9.
ChoongY.TheofanosM.LiuH. (2014). United States Federal Employees’ Password Management Behaviors - a Department of Commerce Case Study. National Institute of Standards and Technology Interagency Report (NISTIR)7991.
10.
ChoongY.TheofanosM. F. (2015). What 4,500+ People Can Tell You – Employees’ Attitudes toward Organizational Password Policy Do Matter. To Appear in Proceedings of the 3rd International Conference on Human Aspects of Information Security, Privacy and Trust, in the 17th International Conference on Human-Computer Interaction.
11.
DasA.StuerzlingerW. (2007). A cognitive simulation model for novice text entry on cell phone keypads. Proceedings of the 14th European Conference on Cognitive Ergonomics: invent! explore!, 141-147.
12.
FlorencioD.HerleyC. (2007). A large-scale study of web password habits. In Proceedings of the 16th International Conference on World Wide Web (WWW), pp. 657-666. ACM, New York.
13.
ForgetA.BiddleR. (2008). Memorability of persuasive passwords. In CHI 2008 Extended Abstracts on Human Factors in Computing Systems, pp. 3759–3764.
14.
GallagherM. A. (2015). Modeling Password Entry on Mobile Devices: Please Check Your Password and Try Again. Doctoral Dissertation, Rice University, Houston TX.
15.
GallagherM. A.ByrneM. D. (2015). Modeling Password Entry on a Mobile Device. To appear in Proceedings of the 2015 International Conference on Cognitive Modeling.
16.
GallagherM. A.ByrneM. D. (2013). The devil is in the distribution: Refining an ACT-R model of a continuous motor task. In Proceedings of the 12th International Conference on Cognitive Modeling. Ottawa, Canada.
17.
GentnerD. (1981). Skilled finger movements in typing. Center for Information Processing, University of California, San Diego. CHIP Report 104
18.
GreeneK. K.GallagherM. A.StantonB. C.LeeP. Y. (2014). I Can’t Type That! P@$$w0rd Entry on Mobile Devices. In Human Aspects of Information, Security, Privacy, and Trust. Lecture Notes in Computer Science, Vol.8533, pp 160-171.
19.
GreeneK. K.TamborelloF. P. (2015). Password Entry Errors: Memory or Motor?To appear in Proceedings of the 2015 International conference on Cognitive Modeling.
20.
HonanM. (2012). Kill the password: Why a string of characters can’t protect us anymore. Wired.
21.
JohnB.E. (1988). Contributions to Engineering Models of Human-Computer Interaction, Department of Psychology, Carnegie-Mellon University, Ph.D. thesis.
22.
JohnB.E. (1996). TYPIST: A theory of performance in skilled typing. Human Computer Interaction, 11, 321-355.
23.
LandauerT. K. (1987). Relations between cognitive psychology and computer systems design. In CarrollJ. M. (Ed.), Interfacing thought: Cognitive aspects of human- computer interaction (pp. 1-25). Cambridge, MA: MIT Press.
24.
MayK. (2012). A model of error in 2D pointing tasks. Undergraduate Honors Thesis, Rice University, Houston, TX.
25.
MeyerD. M.KierasD. K. (1997). A computational theory of executive control processes and human multiple-task performance: Part 1. Basic mechanisms. Psychological Review, 104, 3-65. Retrieved from Google Scholar.
26.
MeyerD. M.KierasD. K. (1997). A computational theory of executive control processes and human multiple-task performance: Part 2. Accounts of psychological refractory- period phenomena. Psychological Review, 104, 749-791. Retrieved from Google Scholar.
27.
MillerG. A. (1956). The magical number seven, plus or minus two: Some limits on our capacity for processing information. Psychological Review63(2), 81–97.
28.
MorrisR.ThompsonK. (1979). Password Security: A Case History. Communications of the ACM, 22(11): 594-597.
29.
MorrisR.ThompsonK. (1979). Password Security: A Case History. Communications of the ACM, 22(11): 594-597.
NicolauH.JorgeJ. (2012). Elderly text-entry performance on touchscreens. In Proceedings of the 14th International ACM SIGACCESS Conference on Computers and Accessibility. ACM, Boulder.
32.
NicolauH.JorgeJ. (2012). Touch typing using thumbs: understanding the effect of mobility and hand posture. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2683–2686.
SalthouseT. (1984). Effects of age and skill in typing. Journal of Experimental Psychology113(3), 345–371
35.
SalthouseT. (1986). Perceptual, cognitive, and motoric aspects of transcription typing. Psychological Bulletin99(3), 303–319.
36.
SheltonD. C. (2014). Reasons for Non-Compliance with Mandatory Information Assurance Policies by a Trained Population. Doctoral Dissertation, Capitol Technology University.
37.
StantonB. C.GreeneK. K. (2014). Character Strings, Memory and Passwords: What a Recall Study Can Tell Us. In Human Aspects of Information, Security, Privacy, and Trust. Lecture Notes in Computer Science, Vol. 8533, pp 195-206.
38.
United States Department of Homeland Security. (2009). United States Computer Emergency Readiness Team (US- CERT), Security tip (ST04-002): Choosing and protecting passwords. Retrieved online from http://www.us-cert.gov/cas/tips/ST04-002.html
39.
UnsworthN.EngleR. W. (2007). The foundations of remembering: Essays in honor of Henry L. Roedgier III, pp. 241-258. Psychology Press, New York.
40.
VuK.Bhargav-SpantzelA.ProctorR. (2003). Imposing password restrictions for multiple accounts: Impact on generation and recall of passwords. In Proceedings of the 47th Annual Meeting of the Human Factors and Ergonomics Society (HFES), pp. 1331–1335.
